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DETAILED ACTION 

1. Claims 1-30 is pending. 

Claim Rejections - 35 USC §102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign 
country or in public use or on sale in this country, more than one year prior to the date 
of application for patent in the United States. 

2. Claims 1-30 are rejected under 35 U.S.C. 102(b) as being 
anticipated by Trostle (US 5,919,257). 

As per claim 1: 

Trostle discloses a machine-implemented method comprising: 

examining a set of instructions embodying an invoked application 
to identify the invoked application; [COL.2, lines 50-51 and COL.5, 
lines 22-23] 

obtaining an application- specific intrusion detection signature; and 
[COL.5, lines 28-35] 

monitoring network communications for the invoked application 
using the application- specific intrusion detection signature to detect an 
intrusion. [COL.5, lines 36-42 and COL.6, lines 13-17] 
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As per claim 2: See col.3, lines 19-30; discussing tracking one or 

more characteristics of the network communications to identify 

application-specific abnormal communication behavior. 

As per claim 3: See coL5, lines 50-52; discussing tracking one or 

more characteristics of the network communications comprises 

comparing the one or more characteristics with one or more configurable 

thresholds. 

As per claim 4: See col.l line 66 - coL, line 3; discussing at least 
one of the one or more configurable thresholds comprises a threshold set 
by monitoring communications for the invoked application during a 
defined time window. 

As per claim 5: See col.l, lines 39-41; discussing monitoring network 
communications comprises monitoring network communications in a 
network intrusion detection system component invoked with the invoked 
application. 

As per claim 6: See col. 4, lines 32-35; discussing the network 
intrusion detection system component and the invoked application run 
within a single execution context. 

As per claim 7: See col.3, lines 8-30 and col.6, lines 13-17; 

discussing providing a first application- specific remedy for a detected 
intrusion; and providing a second application-specific remedy for 
identified application-specific abnormal communication behavior. 
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As per claim 8: See col. 2, line 66 - col. 3, line 2 and col.6, lines 37- 

38; discussing providing a first application-specific remedy comprises 
cutting at least a portion of the network communications for the invoked 
application, and wherein providing a second application- specific remedy 
comprises notifying a system administrator of the identified application- 
specific abnormal communication behavior. 

As per claim 9: See col.5, lines 44-45; discussing obtaining the 
application-specific intrusion detection signature comprises loading the 
application-specific intrusion detection signature from a local signature 
repository. 

As per claim 10: See col.5, lines 44-45 and col.6, lines 13-20; 

discussing obtaining the application-specific intrusion detection 
signature comprises: requesting the application-specific intrusion 
detection signature from a local signature repository in communication 
with a remote signature repository; and receiving the application- specific 
intrusion detection signature from the local signature repository. 
As per claim 11: See col. 2, lines 44-60; discussing the set of 
instructions reside in a file, and wherein examining the set of 
instructions comprises: applying a hash function to data in the file to 
generate a condensed representation of the data; and comparing the 
condensed representation with existing condensed representations for 
known applications. 
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As per claim 12: 

Trostle teaches a machine-readable medium embodying machine 
instructions for causing one or more machines to perform operations 
comprising: 

examining a set of instructions embodying an invoked application 
to identify the invoked application; [COL.2, lines 50-51 and COL.5, 
lines 22-23] 

obtaining an application- specific intrusion detection signature; and 
[COL.5, lines 28-35] 

monitoring network communications for the invoked application 
using the application- specific intrusion detection signature to detect an 
intrusion. [COL.5, lines 36-42 and COL.6, lines 13-17] 
As per claim 13: See col. 3, lines 19-30; discussing the operations 
further comprise tracking one or more characteristics of the network 
communications to identify application- specific abnormal 
communication behavior. 

As per claim 14: See col.1, lines 39-41; discussing monitoring network 
communications comprises monitoring network communications in a 
network intrusion detection system component invoked with the invoked 
application. 

As per claim 15: See col.4, lines 32-35; discussing the network 
intrusion detection system component and the invoked application run 
within a single execution context. 
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As per claim 16: See col. 3, lines 8-30 and col.6, lines 13-17; 

discussing the operations further comprise: providing a first application- 
specific remedy for a detected intrusion; and providing a second 
application-specific remedy for identified abnormal communication 
behavior. 

As per claim 17: See col.6, lines 37-38; discussing the first and 
second application-specific remedies each comprise cutting at least a 
portion of the network communications for the invoked application. 
As per claim 18: See col.5, lines 44-45 and col.6, lines 13-20; 
discusses obtaining the application-specific intrusion detection signature 
comprises: requesting the application-specific intrusion detection 
signature from a signature repository; and receiving the application- 
specific intrusion detection signature from the signature repository. 
As per claim 19: See col.5, lines 44-45 and col.6, lines 13-20; 
discussing the signature repository comprises a local signature 
repository in communication with a remote signature repository. 
As per claim 20: See col.2, lines 44-60; discussing examining the set 
of instructions comprises: applying a hash function to the set of 
instructions to generate a condensed representation; and comparing the 
condensed representation with existing condensed representations for 
known applications. 
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As per claim 21: 

A system comprising: 

a network; [COL.3, lines 55-56] 

a security operation center coupled with the network; and [COL.2, 
line 5 - COL.3, line 1 and COL.5, lines 47-48] 

one or more machines coupled with the network, each machine 
comprising a communication interface and a memory [COL.4, lines 8-13 
including an execution area configured to perform operations comprising 
examining a set of instructions embodying an invoked application to 
identify the invoked application [COL.2, lines 50-51 and COL.5, lines 
22-23], obtaining application- specific intrusion criteria [COL.5, lines 28- 
35], and monitoring network communications for the invoked application 
using the application- specific intrusion criteria to detect an intrusion 
[COL.5, lines 36-42 and COL.6, lines 13-17]. 

As per claim 22: See col. 6, lines 34-35; discussing the application- 
specific intrusion criteria comprises a normal communication behavior 
threshold. 

As per claim 23: See col. 5, lines 28-35; discussing the application- 
specific intrusion criteria comprises an intrusion signature. 
As per claim 24: See col.l, lines 39-41; discussing monitoring network 
communications comprises monitoring network communications in a 
network intrusion detection system component running in an execution 
context with the invoked application. 
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As per claim 25: See col.3, lines 8-30 and col.6, lines 13-17; 

discussing the operations further comprise providing an application- 
specific remedy for a detected intrusion. 

As per claim 26: See col.6, lines 37-38; discussing providing an 
application-specific remedy comprises cutting at least a portion of the 
network communications for the invoked application. 
As per claim 27: See col. 2, lines 39-59 and coL5, lines 40-45; 

discloses requesting the application-specific intrusion criteria from the 
local repository; requesting the application- specific intrusion criteria 
from the master repository if the application-specific intrusion criteria is 
unavailable in the local repository; receiving the application-specific 
intrusion criteria from the master repository if requested; and receiving 
the application-specific intrusion criteria from the local repository. 
As per claim 28: See col.2, lines 44-60; discussing examining the set 
of instructions comprises: applying a hash function to the set of 
instructions to generate a condensed representation; and comparing the 
condensed representation with existing condensed representations for 
known applications. 
As per claim 29: 

Trostle teaches a system comprising: 

a security operation center; [COL.2, line 5 - COL.3, line 1 and 
COL.5, lines 47-48] 
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one or more machines [COL.3, lines 55-59], each machine 
including means for identifying a process, obtaining a process-specific 
intrusion detection signature [COL.5, lines 28-35], and monitoring 
network communications for the process using the process-specific 
intrusion detection signature to detect an intrusion; [COL.5, lines 36-42 
and COL.6, lines 13-17] 

and communication means coupling the one or more machines 
with the security operation center. [COL.5, line 66 - COL.6, line 2 and 
lines 7-13] 

As per claim 30: See col.3, lines 19-30; discussing each machine 
further includes means for tracking one or more characteristics of the 
network communications to identify process-specific abnormal 
communication behavior. 

Conclusion 

Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to LEYNNA T. HA 
whose telephone number is (571) 272-3851. The examiner can normally 
be reached on Monday - Thursday (7:00 - 5:00PM). 

If attempts to reach the examiner by telephone are unsuccessful, 
the examiner's supervisor, Kim Vu can be reached on (571) 272-3859. 
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The fax phone number for the organization where this application or 
proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained 
from the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either 
Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more 
information about the PAIR system, see http://pair-direct.uspto.gov. 
Should you have questions on access to the Private PAIR system, contact 
the Electronic Business Center (EBC) at 866-217-9197 (toll-free) J 
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